Ali Yazdani - Principal Product Security Engineer

Go to Website

Berlin, Germany

Experience

Jul 2024 - Dec 2024

6 months

Principal Product Security Engineer

Payrails GmbH

Defined and executed a comprehensive security roadmap, integrating Shift-Left Security, CNAPP, and DevSecOps principles to streamline secure product development and reduce risk exposure.
Established a robust threat modeling framework, embedding security into design processes for early identification of vulnerabilities and risk reduction.
Developed a scalable Vulnerability Management program to accelerate detection and remediation, significantly shortening the risk response cycle.
Enhanced cloud and container security using advanced tools such as Tetragon to achieve deeper visibility and implement a defense-in-depth strategy.
Automated security controls in CI/CD pipelines to maintain continuous delivery with robust safeguards.
Championed cross-functional collaboration to prioritize threats and align remediation efforts, fostering a unified security culture.
Ensured regulatory compliance and audit readiness by collaborating with the InfoSec team to adhere to internal policies and support audits for standards like PCI-DSS and SOC2.

Aug 2022 - Jun 2024

1 year 11 months

Principal Security Engineer

ScoutBee GmbH

Embedded secure development practices by collaborating with development teams to implement secure coding best practices and establish robust CI/CD guardrails.
Enhanced cloud security posture by introducing Infrastructure as Code (IaC) scanning, Cloud-Native Application Protection Platforms (CNAPP), and Policy as Code.
Conducted threat modeling and secure coding workshops to empower teams in proactively identifying and mitigating risks during design and development.
Integrated SAST, SCA, IaC security scanning, Policy as Code, and DAST into CI/CD pipelines across four projects to reduce remediation costs and turnaround times.
Implemented IAM/PAM and Zero Trust by designing and deploying solutions enforcing least privilege access, including JIT access, RBAC, MFA, and continuous access monitoring.
Facilitated targeted threat modeling exercises to reduce software vulnerabilities before development.
Directed penetration testing and vulnerability management programs, improving time-to-resolution and enhancing overall product security.
Promoted DevSecOps culture, emphasizing Shift-Left strategies in SDLC to detect and remediate threats early and reduce security risks.
Conducted comprehensive security assessments and audits for applications and infrastructure, adhering to standards such as ISO 27001, TISAX, SOC2, and GDPR.

Feb 2022 - Jul 2022

6 months

Staff Security Engineer

NewStore GmbH

Developed and implemented application and API security strategies incorporating secure coding practices and robust authentication and authorization mechanisms.
Designed tailored security controls across AWS environments and Kubernetes deployments to reinforce cloud security posture.
Directed penetration testing and vulnerability management initiatives to identify and remediate security gaps across applications, APIs, and infrastructure.
Conducted security assessments and audits to ensure compliance with industry standards and regulations like ISO 27001, SOC2, and GDPR.

Sep 2021 - Feb 2022

6 months

Engineering Lead DevSecOps

Henkel AG

Integrated advanced DevSecOps technologies into CI/CD pipelines to strengthen application and infrastructure security.
Spearheaded threat modeling sessions to uncover and mitigate security vulnerabilities in software designs.
Championed a Shift-Left strategy by embedding security controls throughout the SDLC in collaboration with DevOps teams, fostering a culture of continuous improvement and heightened security awareness.

Jul 2019 - Aug 2021

2 years 2 months

Senior Security Engineer

Raisin GmbH

Conducted vulnerability assessments and penetration tests to uncover and remediate security weaknesses in applications, APIs, and infrastructure.
Designed and evaluated Azure IaaS and PaaS cloud and hybrid infrastructure solutions to ensure robust data protection.
Applied threat modeling techniques to assess software designs and infrastructure, implementing effective countermeasures.
Executed security testing and code reviews within the SDLC, including integrating SAST, SCA, and DAST tools into CI/CD pipelines to support a Shift-Left security strategy.
Collaborated with development, operations, and security teams to embed security practices into DevOps workflows.

Dec 2016 - Present

8 years 8 months

Open-Source Security Contributions

Led the OWASP DevSecOps Guideline project, developing a comprehensive guide for integrating security into DevOps practices.
Contributed to the OWASP Mobile Security Testing Guide (MSTG), assisting in the creation and refinement of this widely recognized framework for mobile application security testing.

Nov 2015 - Apr 2019

3 years 6 months

Red Team Tech Lead

MTN Irancell

Led vulnerability assessments and penetration testing to identify and address security gaps in networks, applications, and systems.
Reviewed service architectures and conducted threat modeling for critical services, designing countermeasures to protect data.
Enforced IT infrastructure security checklists for new and existing systems to ensure regulatory adherence.
Engineered security tools and automation scripts to streamline processes.
Formulated and implemented security policies, procedures, and standards aligned with industry best practices.

Jan 2011 - Dec 2013

3 years

Bachelor Computer Software Engineering

jedeihe.ac.ir

Mar 2010 - Dec 2018

8 years 10 months

Penetration Tester

Conducted web application penetration tests using tools like Burp Suite, OWASP ZAP, and Nmap to identify vulnerabilities, including XSS and SQL injection.
Executed mobile application testing for iOS and Android platforms using MobSF, APK Analyzer, and Frida to uncover issues like insecure data storage.
Compiled vulnerability reports with detailed risk assessments and remediation recommendations, effectively communicating findings to technical and management teams.

Jan 2006 - Dec 2009

4 years

Associate Computer Software Engineering

jedeihe.ac.ir

Summary

Accomplished Security Engineer with 10+ years across Telco, FinTech, Retail, and SaaS. I integrate robust security practices into software development through DevSecOps, threat modeling, penetration testing, and vulnerability management—bridging the gap between technical and business teams.

As leader of the OWASP DevSecOps Guideline project and a regular industry speaker, I drive secure, cost-effective innovation and champion a culture of proactive application security.

Languages

Persian

Native

English

Advanced

Education

Oct 2011 - Jun 2013